Advice on creating safe(r) W10 environment for elderly use (scams and malware)

Dear reader

I have a question about increasing the threshold for bad actors on an eldery’s W10 system, both user-enabled as well as socially engineered compliance by the user from external influences.

TLDR; despite efforts in education as well as technical thresholds, a slightly mentally impaired (due to medical complications) elderly W10 user keeps installing or enabling scam-, spam- and malware on their system. What more can be done to increase the thresholds without a completely unusable W10 system?

Past summer I was called over to an elderly couple to provide advice on some required PC upgrade the “PC told them to do”, which obviously turned out to be a scam. Long story short: system soft-locked and a pop-up window would flash ‘call X number to buy security update’ or something. This number was called by the client, remote desktop control sessions were started to show some arbitrary data to the client on their PC, but luckily no payments were made after the client said “I have to think about it” etc. during that phone call.

I ran Malwarebytes, which prompted one or two malicious programs. These were some WinZip Updater / WinZip Store and WinCheckup, known programs for being tied to malware install and scams etc. I chose the safest route by doing a clean install (laptop, so took it home), as I came across more assumed malicious web search results and had no idea what else was on the system as a result of that remote desktop control session. I did not want to run the risk of making a final backup of all data on the backup external HDD, as I had (and have) no idea or real knowledge of what was and is possible with malware or scamware(?) transitioning to other media. I performed a manual, non-connected inspection of the most important backed-up files.

Even after going through these numerous increasingly alarming steps in the ‘is this a scam or not’ flowchart, the user did not stop from the aspect of having a suspicion but from a habit of not making payment decision on the spot.

After this event, I strongly advised them to educate themselves better on these matters. Plain and simple spam and scam stuff such as emails with weird characters or domains and foreign numbers are not a problem, but social engineered scams are. Plus they are incapable of discerning the difference between normal, trusted programs and websites/software, and potential malware in both Windows and IOS/Android environments.

I provided them with some sources and personal information and tips.

Along with that, I split up the W10 environment in user and admin with password, where the user profile always needs permission (and password) from the admin to install programs or change anything important. With the advice that, if a potential malware program wants to install for some reason, the first barrier will be that permission.
Furthermore, a desktop client and Chrome extension ISP version of F-secure is installed. Also Malwarebytes. Runs Windows Defender for the rest.

However, a few months later I was texted an image of several Windows notifications insisting that “McAfee licence ended, renew now” as a low-res image, originating from Google Chrome.

Turns out that only a few days days after leaving the user their cleanly installed PC, another program was installed. This time some PDFHub program, which some sources also indicate is a malwareprogram. This time, it ‘hijacked’(?) Chrome and gave notification permissions to numerous malicious websites / servers. It only took them a few months to think of calling me up…

Now, according to my knowledge, this would have required the user to give permission and type in the admin password to allow installation, correct?

Turns out that the user has had a T.I.A. (transient ischaemic attack), which I suspect (also based on information from spouse) has clouded judgement, rational thinking and general thought processes, as well as conditioning habit or self-trust potentially causing to forget all (my) advice and instructions (both technical as well as on the social engineering part).

This obviously plays a big role in this matter, so my question are:

• What more can be done in this case?
• Also, is my thought and process of creating a limited user-profile correct?
• Did I miss anything, or are there even more system-interacting limiting profiles possible?

Thank you in advance.

Kind regards,
JB

Great thread. I think we can widen the scope beyond the medically impaired.

E.g. I, for similar reasons, restricted the W10 accounts of my kids to user permission only as a very first step. Helps both with avoiding malware, but also eliminates the ability to get out of parental controls. Saved our butts a few times.

Look up “Deep Freeze” and what it did back in the early 2000s. That is exactly what you’re looking for, a OS that completely resets upon shutdown and turning back on.

Sandboxie also used to help.

I’ve also seen (but not fully read) an article saying Bitwarden is offering to monitor chat for malicious files and links that could be a useful product in the future:

That could be useful for older people…

I don’t believe Linux is a solution to everything but without some of the traditional virus install methods and the requirement to sudo most everything even if you are an admin it might be a better solution than w10 or w “anything”. If determined to stay with Windows 10, make sure the person in question has a “user” account and not administrative.

This sounds like a fascinating application of the project I’ve been working on (work got busy but it’s still going) for a general purpose RAM disk bootloader where the OS install won’t be persistent across reboots unless the image it loaded from is modified.

I’m gonna bookmark this and come back to it once I have a chance to get that working again.

Look grandpa, you just NEED 128GB of RAM, ok?

thinkn maybe an amnesic OS or distro might not suit the persons needs since they prolly do not have the understanding on moving stuff to external drives or exporting bookmarks each time. If there was a version of windows that acted like tails and gave you the option to retain bookmarks and emails but cleared everything else, so no persistence, then this would be good, tho obvs that would still require putting in a thumb drive each time before startup so, nopes…

the deep freeze thing looks very promising for this use case, tho my first thought went to a non admin linux mint (mate) with a bit of tweaking to make it even more windowsey or if u really have to stick with windows then or you could just go to apps n features (in win 10 or 11) and install openSSH server, do the config and then connect from your…hmm okay maybe not…

this is a tricky and interesting one, i hope the thoughts people give you here do end up helping Jelly… Good luck

Yeah user data is going to be the issue with pretty much any solution.

Unless you just don’t give them admin rights and lock it down completely with group policy settings, which is doable, it’s going to be impossible to stop things from getting in being let in. That’s why I feel like making the OS non-persistent somehow would be a good option, but you still need a way to store local user files - you could do something simple like moving the Libraries (Documents, Pictures, etc) folder locations to a different drive/logical partition to preserve them, but then those could just become infected and you’re back where you started.

I’d propose just buying them a ten pack of Microcenter flash drives to solve that, but it generally doesn’t work out well telling people - who dont understand why - that they need to store everything on an external device or they’ll lose it. Most old people I’ve dealt with don’t even understand how the save dialogue works, or the concepts of files/folders, let alone using a flash drive.

“Okay I saved it.”
“Where?”
“…what do you mean?”
“Where did you save it?”
“In Office?”
“Okay, where specifically did you tell Office to save it?”
“Well it’s on the CPU when I open it.”

Protecting people from themselves sucks.

Now I understand why MSFT offers Office 365. No worries about file placement

Wow, this topic has garnered more interest and contributions than I had anticipated. I greatly appreciate this, and I hope it might provide answers to future readers as well. I’ll go through each comment at the end, but I’ll make a centralised answer first.

I’m seeing a lot of suggestions, but some maybe a bit too much on the tech savvy side. I understand that this may be due to the general audience of L1 and forum, which I can fully understand. I have had to learn to dial back my ‘enthusiasm’, terminology and expectations as well with most of the people of the target group this topic is concerned with. Maybe it will help if I outline some user conditions, that may set some boundaries to this. I’m not excluding possibilities or bashing on ideas, but given my personal experiences in changing workflow or interaction-flow, as well as preferences and capabilities of this age group, in this scenario and use-case (and generally, often for most elderly PC tech situations), I’d like to stick to the following boundaries:

• Continued use of current operating system (often Windows 10): please understand that most barely grasp the concept of folders, directories, hard drive vs ‘cloud’, webbrowser vs google, etc., AFTER (visual) explanation in simple terms.
• User environment of Windows 10 remains similar in workflow, (GUI), icons / style, paths and directories etc.: change is immensely confusing, even a change in icons or layout / navigation can be devastating (thanks Apple…).
• Preferred reactive, or at least freezing, programs or processes: Don’t expect much from the user, they won’t run Malwarebytes (or alike in purpose) or quarantine files or programs on their own. Virusscanners and other protection / barrier systems should run in the background and warn (e.g. auto-scans and auto-quarentine of email attachments, etc., are part of certain programs).
• Making use of off-the-shelf and common/universal software, programs or setting changes. I’m absolutely not risking anything by installing custom hobbyist tools, unless they are considered safe or are widely used by the industry (e.g., WinDirStat, Sysinternals process explorer, etc.).
• Permanent background ‘on-off’ settings etc. are useful. E.g.: tightening or increasing spam filter sensitivity in Outlook (or alike), setting up a low permission level user account in Windows with admin control (with password), turning off auto-attachment or in-line image downloads in email programs, increasing Windows permission prompt sensitivity (the ones you get when downloading or installing), etc.
• Requesting simple additional processes or -steps are possible. For example, asking them to first check email sender domain addresses on trustworthiness (I give them a list of common bad indicators) before opening them or any attachments, or giving them the outlines and indicators of most socially engineered scam concepts, is often not a problem.
• A hands-off solution: I do not want to be required to monitor remote conditions or be required to do weekly checkups, and neither do clients. This is not my job, I mostly do this in my free time to help out others. Some clients have had bad experiences or have been ripped off (€400,- for a simple Android phone media and profile transfer…), so I give them the option of tech help this way. Furthermore, these are not retirement home type of elderly, most just lack the technical experience and expertise in life due to generational differences.

Please also understand that these might be worst case scenarios, some have no problems with certain aspects. I am just covering the worst case yet outer limit of cases that I am willing to take on / put energy into.

The example of @NorthernWing is similar to 90% of my experiences as well. With most I sit down, go through each process step and write it down in their own ‘language’ so that they understand what they wrote down, but with some this still leads to them flat-out skipping steps and being confused why it doesn’t work. And yes, the ‘Office save location’ is one of them. So we’re talking about ineptness as a result of age (not being discriminate, I’m talking biological and synapse degradation), but mostly also because they cannot, and have never had to, grasp the concepts of these type of (digital) systems and their logical (inner) workings. The analogy I often use for HDD, directories/paths and folders in Windows Explorer and its files, and the PC as a whole, is an old archive cabinet. The office is the PC, many things reside there (plants, people, telephones, tv maybe, archive, etc.), the file cabinet is the HDD, folders are, well, folders, but the directories/paths are in which drawer they are stored, and files of course the tangible things in the folders. But more expanded and more limitless. Then they often understand, as it is closer to potential real-life experience they have. The difference between remote storage, or ‘cloud’, and local storage requires a whole different story. But I’m getting off topic.

@jode That’s the kind of user permission thingy I meant. Also, I understand your comment of widening the view, I am just including it for the reason that I need a fool-proof concept or system for an adult of which you might otherwise expect full mental capacity in daily tasks and thought processes (e.g., asking to look up specific but simple things under relaxed conditions with no pressure, e.g. a photo album of year 2020 etc. on the client’s phone, leads to a complete mental jam or brainfart and just results in them furiously tapping left and right on their phone (opening apps, general settings, specific pictures inside that album, etc.).

@FurryJackman That Deep Freeze concept sounds interesting. I am, however, a bit confused on the right-holding party. Is it a service of just one company, or a concept? For example, when searching I come across Faronics, but they seem to be more B2B oriented and not for private use.

But from a conceptual point of view, can I compare the concept to a Windows re-install option where it retains all personal files and settings etc., but wipes all programs? Because something that also wipes Office, printer drivers, card games etc. is not an option.

@regulareel That looks both as interesting as it sounds dicey. Helpful as a first step though, but not applicable to the related PC environment.

@TowedJumper3504 I understand. But given the target group, I think for most Linux is out of the question. Most are finally just getting around in getting used to the W10 environment and (G)UI after all these years. Also, if they look up anything how-to-ish on the internet (there are lots of elderly-focused help-sites) or ask a family member to do something, that will likely result in a massive inadequacy in knowledge and know-how. Also, drivers…

@NorthernWing RAM disk bootloader as in, installing Windows on RAM? I think I’ve seen a video somewhere some years ago about that. Also, sounds interesting, but not really applicable for this use case.

@MilzyBee Thank you. I see your train of thought and realisation in your comment that a lot quickly falls off as viable options.

@NorthernWing The group policy thing might be an interesting addition to the non-admin rights with their user account. However, wasn’t that remove in W10 Home? If not, what would be some of the settings I could look into with GP?

“Yeah user data is going to be the issue with pretty much any solution.”

That is my conclusion as well. Hence my choice in not making a final backup to their backup external HDD. A program or system that completely wipes after each restart sounds great from a security perspective, for a public library or something, but not for a personal computer where, sometimes, ALL personal files (pictures, videos of grandchildren) are on that PC.

I understand that I cannot ask for the perfect system, it may also be that I arrive to the conclusion that it might be best to supervise (by spouse), limit (important tasks done by spouse), or even strongly advice to stop general use of the PC environment (tablet and phone can be more lenient) for this particular case.

For general cases, I will likely still adhere to the user-profile without admin rights etc. and restricting / creating as many checkpoint hurdles in the OS and commonly used programs as possible.

On a sidenote, most clients ask me about their virusscanner they have been talked into when buying their system (often laptop) at the store. I generally tell them that, if it makes them feel safer and they can spare the money, they should keep it (Norton, McAfee, etc.). I often tell them that Windows Defender should suffice for their use scenario (general A-grade website browsing, emails, some Youtube perhaps) and that the first barrier is themselves, followed by some advice based on third-party expertise and knowhow (Jim Browning, The PC Security Channel and others alike on YT) and trusted sources to educate themselves (including free webinars by the banks they have accounts with).

Is my statement on Windows Defender being sufficient correct? I used to, on request, install stuff like Kaspersky. Or where applicable, ISP-provided F-secure (or alike) desktop clients or browser extensions, but don’t anymore based on expert suggestions that Windows Defender should be enough.
I’ve had plenty of clients with scam situations, where I had to fix everything afterwards (including re-installs), that blame the computer and that they should “buy antivirus program” as panic reaction. And I refer them to my argument again about educating themselves and becoming more resistant to social engineering, before they act on their suggestion by throwing out the computer because it is not safe…

It’s just that my mother-in-law gets a lot of malware via chat and that is what I feel to be a more common avenue for malware to get in via computer, especially if your older folks havent gotten into email at all. It could be that instead of android, your parents might use Win10 for their Facebook Messenger interaction but the malware problem is still the same. It is a bit creepy, but the alternative is having another family member watching over their chat pretty much 24/7 and that is a too much.

If the software doing the chat monitoring is open source and auditable. Are you amenable to that?

@jellybutt I completely understand your concerns and where you are coming from. There are no easy answers or we’d all be doing them already as a best practice right?

Drivers can be a barrier to linux adoption but if you are sticking with a modern kernel its usually not an issue. Regardless, I get it. Thanks for taking the time to listen to our suggestions, in the end we will probably all have relatives in the same situation sooner or later so I am interested in seeing where this goes. Ultimately if you stay with Windows 10 you should:

1. Have UAC (User Account Control) turned on. UAC is the “annoying” popup where the screen goes dark and asks you to approve an action that can perform sensitive operations to the system. If you are doing it in an account that is a “User” level it will ask you for a user account with admin rights and the password. Its a good barrier for situations like this.

2. The user account set to a “User” level not admin

3. A separate admin account should be created for administration thats not used otherwise (IE not as a daily account) and other accounts converted to user accounts. No daily use account should be an admin account. If it is an admin account you need to worry about someone social engineering the victim into approving something to get installed but if they can’t and don’t know the admin account name or password that’s a layer of protection for them. That’s a good best practice regardless of who you are and what you are doing.

4. Ensure patching of windows and web apps (browsers, chat, etc) are being done and they are in fact up to date and set to automatic. All is easier said than done of course.

OPTIONAL/THOUGHT: It sounds like you are looking to set this up for a range of people, not yourself or family. You might want to look into a Yubikey biometric setup with a family member’s or trusted third party finger registered to it. That way you could use Bitwarden and lock up those banking details behind a password manager with 2 factor. Could also look into a password manager with a TOTP setup for the same kind of thing but registered to the trusted third party’s phone. That way they would get pinged if it was attempting to be used and get them involved.

You know, you can’t be the only one with this issue, I wonder if there are sites out there with TTP that we can use. Looking myself now

What do they do? Basic web browsing? Shove a Linux PC or chrome book into their lap and say deal with it. Nothing is going to keep them from telling the wrong people their password or credit card details etc.

create a user account that has limited permissions for installing stuff
contact the isp and enable there web protections for spam/malware/porn.
this will stop most 18 rated content and a lot of spam sites.

add spam and adblocks to there browser.

antivirus… better to have one than just rely on defender.
malware bytes and bit-defender are good options.

after that its user error and you cant do much about that.

I am thinking of an idealized system for you. I really dont know how to properly implement this but hear me out:

How about an amnesiac system (like Tails), but uses windows VMs instead (with an underlying linux OS of course).

Each boot completely wipes the OS into a fixed image that you can remotely manage and update as needed. I have seen these kinds of things in the old LAN cafes.

But you go back to the problem of mixing user files and potential malware. You cant just submit some of their files as samples for Virus Total to analyze - that is sort of invasive because all paying VirusTotal clients will have access to the uploaded files. Are you personally going to babysit all their files in real time?

Ok now to think of it, just give them all Chromebooks and be done with it. Either that or babysit all their files yourself or let all their personal files be seen by VirusTotal.

This, to me, is 100% a use case for replacing their device with a Chromebook (or installing ChromeOS Flex on their existing hardware):

• Very limited ability to install things or modify the OS itself.
• Files are kept in the cloud rather than on the local disk.
• Much more restricted platform when it comes to malware/viruses.

Are there tasks they carry out on their device that couldn’t be carried out on ChromeOS/Flex?

Again, a thank you to everyone willing to participate on this subject. If I can read the room correctly, I am seeing a mixed participation: people who post case-specific questions and suggestions, and people who provide suggestions beyond my listed boundaries / wishes. This last group likely has the intention and desire for a generalised topic on this matter for wide-spread (future) use.

Continuing with the spirit of that last group, I think it will be useful and more clear if I compile a list of options, based on posted suggestions. I will add to this list for any subsequent posts after this one. Or, if desired, you may split this post into a new topic, Mr or Ms moderator.
If you’d like to contribute, propose changes or point out errors, please let me know its placement and description as you envisioned (so I don’t have to guess in case it is beyond my level of comprehension or judgement).

Please correct me if my categorisation, terminology, description or division conditions are incorrect or insufficient; I can handle myself PC-wise on a hardware level and some above-average user Windows stuff, but administrative policies or OS variations, thát I am not really acquainted with.

Changing or increasing barriers and fail-safes within Windows environment; none to passive user influence or input

• Enable and increase User Account Control sensitivity
• Create a password protected user (optional for password) and admin account (password mandatory); user for daily usage, and admin for admin stuff. Any user-account interactions, e.g. installing remote desktop software most scammers will request you to install, will always require entering admin password
• Lowering and limiting aforementioned user account’s permissions in Group Policy
• Increasing email program spam sensitivity level
• Disabling non-text email auto-downloads (enabling text-only email, disabling auto-attachment downloads, etc.)
• Contacting ISP for increased filtering / protection
• Enable automatic updates for installed programs and services
• Installing more invasive / protective / fail-safe-heavy computer protection programs with most secure settings enabled (either freeware or paid), whatever provides real-time quarantining, scanning and protection. Also check your ISP, some offer fairly elaborate and well-reviewed protection programs and services, often already part of your subscription and thus free (at least, in my country).
  ^ Comodo (firewall + HIPS, the rest seems out of date according to the internet), Malwarebytes, Bitdefender, some Norton stuff (?), Hitman Pro, Avast (One) or Kaspersky, … etc.
• Active monitoring programs (also see above), but also including chat interactions (facebook, also mobile)
• Installing spam-, ad-, tracking- and malware-blocking services:
  ^ Webbrowser: Adblock, Adblock Plus, Ghostery, HTML5 autoplay-blocker, DuckDuckGo Privacy Essentials, … etc.
  ^ Any VPN-included services (e.g., I have PIA MACE enabled)
  ^ Any additional services from anti-virus and anti-malware programs (freeware or subscription)
• Not storing passwords on the system desktop in a Notepad or Word file, or desktop sticky with WV or W7…

Additive processes or products; active user input

• Scanning and/or quarentining (downloaded) files or volumes with use of right-click Windows Defender, any intervening and quarantining installed third-party PC protection program, PeStudio, … etc.
• Encourage 3-2-1 backup rule, or at least a 2-1 rule on external HDD or flash drive, or even cloud. This is not preventative, but a clean install of Windows after a superficial infection is no problem then (apart from any licensed programs and product keys)
• Use of third party 2FA / TTP (if needed), either physical (Yubikey) or digital
• Frequent change of passwords, especially for critical stuff
• Non-conventional password generation, or in case a system for creating and remembering / looking up passwords is difficult, make use of password manager
• Secondary email for non-critical sign-ups or potential marketing-mail enlisting etc. (hard to judge, but most often online purchases, social-deal websites, group-on, facebook opt-ins etc. This will have to be explained to the user, preferably with a guideline on when to choose which email)
• Inform about search engine shortcomings and pitfalls. E.g., searching for very common (national) requirements involving tests and payments may bring up malicious websites, that pose (or spoof) as the official source. I tell users to avoid the promoted ads with Google / Bing etc., I’ve seen scams happen once or twice from that. And also, to cross-reference with other official sources for correct URLs, emails or phone numbers, preferably with physical paper forms

Change in work and interaction process, change in OS (process)

• Installing Linux variants (either amnesiac, like Tails, or ‘normal’ (?))
• Installing Linux with Windows as VM (either amnesiac, like Tails, or ‘normal’ (?))
• Any form of Deep Freeze / clean reboot concepts for Windows
• Installing ChromeOS Flex
• Switching to Chromebook

Please note: interpretation and depends on the situation, capabilities and environment of the user. And as expected, the more intense or disruptive a change will be, the more (negative) side-effects and downsides are likely to accompany that solution.

Social engineering aspect; awareness and hardening
This is the subject that is probably hardest to address. Even with including additional barriers, such as user-admin account split with severe limitations for user or external 2FA, can be nullified if the user ‘forgets’ or is influenced / coerced into by external parties.

I tend to educate clients by providing a (short) list of indications of potential bad actors, as well as what information they should limit themselves in promoting to external sources (either by right or as leak- or malicious-intent prevention). This has a wide range, but includes topics on email, webbrowsing, chat-based interactions, website and webshop judging, password generation and storage, file storage and backups, file and attachment downloads, personal information distribution, telephone interactions and sometimes even physical interactions (stores, doorbell scammers, etc.). Furthermore, research your local or national critical organisations, such as banks. In my country, most banks offers free webinars, FAQs and info-pages on scamming and spoofing for all age groups (mostly on banking, but tips can be applied conceptually to other environments and situations as well).

This probably also includes the subject of ‘protecting people from themselves’, be it naive in origin or plain computer illiterate / technophobic. Likewise, the aforementioned research on local initiatives for elderly tech-support may provide a good organised, central and trustworthy solution. I know my country has several, local, regional and national, either organised by municipality or charity-like organisations.

For purposes related to this specific case, I have already mentioned most in-text, but I see that my posts are quite ‘heavy’ and not everything may have been read. I won’t list them again, but during/after constructing the list above, I have come to the conclusion that I have: performed most, if not all, initiatives from the passive category with this client, where applicable; some of the active category; and most of the social engineering awareness and hardening. Maybe some other additional suggestions may pop up later on. The only thing I haven’t really touched is Group Policy.

@MarcWWolfe @ScottishTom @regulareel
The client uses the Windows PC with minimal programs, has an Office 365 family subscription, but a lot of files, if not all, are local storage. Also, quite a lot of text and media processing, business bookkeeping and frequent HDD backup-transfers takes place on that PC. And general webbrowsing and emailing. So an amnesiac system would not be an option, in my view. Something like Chromebook or ChromeOS Flex does sound promising, but I’ll have to look into the compatibility of used files and external volumes etc., as well as its (G)UI.
Most phone stuff is cloud and local phone storage, sometimes also transferred to PC and then to backup HDD, but not always… So quite a lot of media up-to-dateness inconsistencies, where I cannot rely on one simple system for media storage in case of amnesiac systems.

@regulareel Chat systems, such as Messenger or Facebook or whatever its called, are rarely used on the PC. WhatsApp and Messenger are on phone though, but is IOS and mainly / always with relatives or friends. They are also quite careful about direct unknown communication, such as scam calls or scam text messages (also, quite a lot of public TV announcements are made with examples, as well as in-app alerts in our banking apps). I know ID-hijacking/-impersonation is a thing, I’ve seen it personally, but this is a targeted attack attempt and not a common widespread scam practice. Protecting against that is nearly impossible, other than preemptive warnings and (heightened) awareness (like I have done now after these scammers had gotten the client’s mobile phone number after he called them) and verifying financial requests via secondary means.
Also, I’m not talking about my parents here. This is just someone I know via someone else, and just help out with tech stuff (like most of my clients). If only they were, then I could pressure them into much more, much easier, and control/oversee much more.

@TowedJumper3504 Critical financial, healthcare and other official national stuff is already handled by trusted 2FA, using multiple devices. Non-critical also, such as recovery devices and non-conventional or weird location logins on apps, email, profiles etc. Luckily, that part is fairly secure in our country, and the client (and spouse) are quite up to date on that front. Doesn’t stop willing participation after socially engineered pressure though. But no 2FA can beat that (yet).

@anon7678104 Thanks, the ISP suggestion is something I will look into. The rest is already implemented.

I see that a lot of suggestions end after Group Policy edits, user-admin account splits and additional passive / background processes when sticking to Windows 10 environment, after which a fairly large leap towards others OS systems or environments is suggested (either with same hardware, i.e. Linux or ChromeOS Flex, or hardware-linked such as Chromebooks).
Aside from this case, I’d say that might be an option for some, but for most of the people I’m dealing with that is not. Like I have already pointed out earlier, getting people to change their habit and use-pattern in Windows to any other layout, let alone user input requirements, system level buildup, navigation, logic and settings, is most often immensely difficult to impossible. Especially with older generations (generally). Plus, some run certain programs of which I know are Window-only, or run programs of which they don’t have the physical product key of anymore.
VM’s could be an option there, but I have no practical knowledge about that and would have to educate myself.

The users in the OP are primary iPad candidates.

They likely don’t need to do anything complex, files are saved with the app they were saved from by default, they’re (in reality) practically immune to malware and cheaper to buy than a pc.

The ipad OS promotes safe computing habits and makes them super easy to implement.

Making a pc, especially windows safe for people effectively neuters it anyway.